3Terms relating to the processing of personal data
(1)This section defines some terms used in this Act.
(2)“Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3)“Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to—
(a)an identifier such as a name, an identification number, location data or an online identifier, or
(b)one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4)“Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as—
(a)collection, recording, organisation, structuring or storage,
(b)adaptation or alteration,
(c)retrieval, consultation or use,
(d)disclosure by transmission, dissemination or otherwise making available,
(e)alignment or combination, or
(f)restriction, erasure or destruction,
(subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).
(5)“Data subject” means the identified or identifiable living individual to whom personal data relates.
(6)“Controller” and “processor”, in relation to the processing of personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies, have the same meaning as in that Chapter or Part (see sections 5, 6, 32 and 83 and see also subsection (14)(d)).
(7)“Filing system” means any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.
(8)“The Commissioner” means the Information Commissioner (see section 114).
(9)“The data protection legislation” means—
(a)the GDPR,
(b)the applied GDPR,
(c)this Act,
(d)regulations made under this Act, and
(e)regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the Law Enforcement Directive.
(10)“The GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
(11)“The applied GDPR” means the GDPR as applied by Chapter 3 of Part 2.
(12)“The Law Enforcement Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
(13)“The Data Protection Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28 January 1981, as amended up to the day on which this Act is passed.
(14)In Parts 5 to 7, except where otherwise provided—
(a)references to the GDPR are to the GDPR read with Chapter 2 of Part 2 and include the applied GDPR read with Chapter 3 of Part 2 ;
(b)references to Chapter 2 of Part 2, or to a provision of that Chapter, include that Chapter or that provision as applied by Chapter 3 of Part 2;
(c)references to personal data, and the processing of personal data, are to personal data and processing to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies;
(d)references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies.
(15)There is an index of defined expressions in section 206.